Your Cloud Hosting Provider May Be PCI Compliant But That Doesn't Mean You Are

Compliance is non-transferable, is the jist of the PCI SSC’s recent supplement on PCI cloud computing guidelines for merchants (e-commerce, retail, franchise and anyone that deals with credit cardholder data). Directly referencing merchants that work with cloud service providers (CSP’s), the supplement lists a number of challenges of working with CSPs, one being important enough to single out in standard 5.1:

What does “I am PCI compliant” mean? Essentially, even if you contract with acloud hosting provider that has successfully achieved an attestation of compliance with PCI DSS version 2.0, meaning they were independently audited and reviewed by a Qualified Security Assessor (QSA), this does not mean you as the merchant/client automatically achieves PCI compliance. A PCI cloud computing service provider can fulfill a number of the PCI technical requirements, but you still need to do due diligence to maintain your organization’s security and compliance.

The PCI SSC recognizes that an attestation of compliance reflects a single point in time, and that maintaining ongoing compliance requires monitoring and validation of effectual controls. The merchant is ultimately responsible for these tasks although they may be split with a CSP. One example of a validated control for a CSP is the use of updated antivirussoftware – although this counts for the CSP’s compliance, it might not extend to the merchant/client’s OS or VMs.

According to the council, ongoing client-side system maintenance is required for those that connect to the PCI cloud environment. The PCI cloud guide spells it out clearly:

If a cloud hosting provider is compliant, this doesn’t mean their clients are.

If a cloud hosting provider’s clients are compliant, this doesn’t mean that the cloud hosting provider is.

If a cloud hosting provider and the client are both compliant, this doesn’t mean that any other clients are.

This is why figuring out who’s responsible for what (usually both, to some degree) is important for covering all of your bases and leaving no room for compliance/security gaps. For a list of services that fulfill specific PCI requirements, read PCI Compliant Services and view a matrix of what a cloud hosting provider can offer.

Similarly, how can you validate the controls managed by your PCI cloud hosting provider? For cloud hosting providers that have undergone a PCI audit, they should be able to provide:

Attestation of compliance documentation as proof, with date of compliance assessment

Documented system components and services included in the assessment

Documented components/services excluded from the assessment

But what if your cloud provider has not yet undergone a PCI audit? Merchants/clients will need to include their cloud providers in their own PCI assessments, and may need access to/detailed information from their cloud provider, including:

Physical access to systems, facilities and staff for onsite interviews (good rule of thumb is to only partner with cloud providers that allow physical tours and walkthroughs of their facilities) – read PCI Compliant Data Centers for insight into other controls.

Proof that all PCI requirements are in place and sufficiently compliant within the scope of their contracts

One way to save on significant audit costs, time and personnel resources is to partner with a PCI hosting provider that has already achieved an individual attestation of compliance and can provide the proper documentation to assure their own compliance.

For more about what a PCI compliant hosting provider should provide, read our PCI Compliant Hosting white paper. Still have questions? Contact us or chat with us now. Find out more about our fully compliant, PCI hosting solutions, or submit a quote request for your project today.

Disclaimer: Blog contents express the viewpoints of their independent authors and
are not reviewed for correctness or accuracy by
Toolbox for IT. Any opinions, comments, solutions or other commentary
expressed by blog authors are not endorsed or recommended by
Toolbox for IT
or any vendor. If you feel a blog entry is inappropriate,
click here to notify
Toolbox for IT.